[clug] SSH attack

Steven Farlie steven.farlie at gmail.com
Mon Jul 25 16:26:35 GMT 2005

Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from port 60518 ssh2
> Could this explain the compromise someone on the list saw recently.
> I've created two lists from the attempts I've seen in /var/log/secure,
> URL's below.  Hope this is helpful to some of you out there.  The first
> number in the file is the count.
> http://tip.net.au/~sjenkin/hack-ipnr.txt
> http://tip.net.au/~sjenkin/hack-logins.txt

Someones been doing plain old dictionary attacks on ssh for a while now. 
It seems to be reasonably effective. Even if it takes a bit longer than 
a regular attack, you might just end up owning a unix box on a bit fat pipe.


> BTW: I've read the man page for 'sshd_config', and it seems pretty
> sketchy to me on how to limit connections to sshd.  All I found was:
> => AllowUsers USER at HOST 
> Doesn't seem to understand limiting to subnets or denying from address
> ranges, say like Apache...  Did I get this right?

Yep, that's about it. Most people should just set AllowUsers and enforce 
strong passwords on those. Subnet and address range blocking is usually 
best handled by firewalls.
Steven Farlie

More information about the linux mailing list